back to article Google spews critical Android patch as millions of gadgets hit by Linux kernel bug

Google has shipped an out-of-band patch for Android shuttering a bug that is under active exploitation to root devices. The vulnerability (CVE-2015-1805) affects all Android devices running Linux kernel versions below 3.18 – we're talking millions of gadgets and handhelds, here. The vulnerability is a privilege elevation that …

  1. Anonymous Coward
    Anonymous Coward

    All Android devices running kernel < 3.18?

    What's that in standard person's terms?

    Does that mean Android 4.4.x is affected?

    1. Teoh Han Hui

      Re: All Android devices running kernel < 3.18?

      It probably means all of them are affected. On my Nexus 5 running Android 6.0.1 with a security patch level of March 1, the kernel version is 3.4

      1. Anonymous Coward
        Anonymous Coward

        Re: All Android devices running kernel < 3.18?

        Damn. So my 12.2" Samsung Galaxy Note Pro tablet (which they don't release updates for) just became a paperweight.

        F**k you Samsung. :(

        Definitely buying an iPad pro next time.

        1. PeterGriffin

          Re: All Android devices running kernel < 3.18?

          Cyanogenic.

  2. jonfr

    That covers Android 6.0 (most versions)

    At least the version on my phone is 3.10.84 so it means it is vulnerable. I don't know when Sony is going to issue a patch. At least I'm not holding my breath over it.

    1. Richard 22

      Re: That covers Android 6.0 (most versions)

      So I had a quick look - it turns out that this patch has been in the 3.10 LTSI tree since June 2015, and it is in fact already in 3.10.84. The log for the relevant file at the 3.10.84 release is here;

      https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/fs/pipe.c?h=v3.10.84&id=f1178e991adbe6ea8a7524c8c83fa479dc26c765

      The top commit is the one referenced by the Google advisory. So although Google have only just pushed a patch for this, the Sony Android 6.0 release is already covered.

      1. Richard 22

        Re: That covers Android 6.0 (most versions)

        I should have said - the fix first appeared in 3.10.82

        https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/fs/pipe.c?h=v3.10.82

  3. Tom 7

    I've never been too impresses by phones

    but the fact my phone spends more time updating that I do using it is starting to piss me off.

    1. TeeCee Gold badge
      WTF?

      Re: I've never been too impresses by phones

      WTF is it??!!??

      For the vast majority of Android phones, updates are slightly more rare than Dodos and Unicorns are in the wild.

      I've already calculated that my chances of getting this fix are exactly Fuck All.

      1. John Brown (no body) Silver badge

        Re: I've never been too impresses by phones

        He probably means all the constant app "updates" which, in general, seem to mainly be updates to the apps built-in ad engine, or just storing new/updated ads for when there's no connectivity.

  4. Anonymous Coward
    Anonymous Coward

    Excuse me?

    "Affected users will need to re-flash an instance of the Android operating system."

    WTF?

    Never heard MS or Apple say, to fix this issue you need to wipe your entire system and start again.

    1. RyokuMas
      Stop

      Re: Excuse me?

      To be fair, I have had to reinstall Windows a few times when things when horribly wrong - but that was back in the dark days of XP, never had that problem since Win7.

      But these days, with Android and Google, I can't help but get the feeling of "meet the new boss, same as the old boss"

    2. Richard 22

      Re: Excuse me?

      Poorly worded article.

      Needs the kernel updating to one with the patch. Nothing more, nothing less.

    3. Anonymous Coward
      Anonymous Coward

      Re: Excuse me?

      To fix the vulnerability in and of itself, all that is required is flashing an image containing an update to the patched kernel.

      However, if the phone has been rooted using the vulnerability, you need to flash the entire Android system image to your phone to ensure all system files are restored to OEM state with no additions.

      The same would be true for this type of vulnerability on iOS or Windows Phone.

  5. To Mars in Man Bras!
    Thumb Down

    Thanks For Your Concern, Google. I'll Stay Rooted

    The only reason my Android devices are rooted is so I can use an edited `/etc/hosts` file to block the hundreds of data-slurpers, ad-slingers and malware-peddlers infesting the internet. If Google would allow me to edit this one solitary file, I'd have no need to root Android and would happily apply their security updates.

    Of course that would mean I'd have a secure kernel *AND* not be seeing adverts —and Google are determined I've got to choose one or the other. So, weighing up the pros and cons, I think I'll stick with what I've got. I reckon there's far more chance of picking up some 'nasty' running an OS with a "Welcome" mat for a hosts file, than there is of someone tricking me into running a kernel exploit.

    PS: Loving the new Captcha test, El Reg. Pure genius making me do it in between each post preview and then again before submitting. Tell me. Have any of your web design team ever heard of the concept of "usability"?

  6. Pseudonymous Diehard

    So...

    If the update has been sent to manufacturers we'll see it....never?

    Galaxy Note 3 here. Still going strong. Android 5.0 kernel 3.4.

    Havent seen an update for ages.

    My kernel build suggests 19th November 2015.

  7. fortran

    On Poor Writing

    I starting reading comments on CVE-2016-0805 (and 0819) last night. Trend Micro had a comment which suggested that the issues behind 0805 had been sent to manufacturers quite a while ago, and were dealt with in the patch dated Feb 2, 2016. Now first thing this morning, I read this? With no coffee in the system. This no rooting of phones is an annoying rule, if the reason to root the phone is to get security patches to the OS. Maybe if I drink my coffee, this will all go away?

    There is no sense unwrapping the new phone, if it isn't going to be possible to put a secure OS on it for months, or ever.

    1. Anonymous Coward
      Anonymous Coward

      Re: On Poor Writing

      Trend micro have shown to be unreliable snakeoild scareware scumbags in the past, I wouldn't trust them as far as I could throw them, I certainly wouldn't buy any security product from somone like them

  8. Rob Crawford

    Android devices with a security patch level of 2 April are patched against the flaw. ®

    Should I break out my time machine or just travel through time the slow way?

  9. John 104

    Trick Question

    Is this one of those trick questions like back in school?

    "affects all Android devices running Linux kernel versions below 3.18"

    My 4.4 S5 is running 3.4.0-2304514. Or is the article poorly written and it should have read kernel versions ABOVE 3.18?

    Confused.

  10. Marcelo Rodrigues
    Megaphone

    Run for the hills!

    Asus Zenfone 2.

    Patch level: 1st jan 2016

    Android version: 5.0

    Firmware 2.20.40.174

    Kernel version: 3.10.20 <- sigh

    Ah, well. Can't have everything. Asus promised android 6 very soon. One can always hope...

  11. Skribblez

    Safest to buy a Google phone I guess?

    Yay! Glad I bought one of those Google owned Motorola Moto Gs, so that it was kept up to date on OS updates until Google sold Motorola...

    I'm starting to think the Apple luxury tax is worth it for the updates to the OS. At least the walled garden doesn't feel like a vacant lot. :-(

  12. Kevin McMurtrie Silver badge
    Paris Hilton

    "can only be done with the help of manufacturers and carriers"

    Luckily, there's a vulnerability that can be used as a workaround.

  13. Brian Miller

    Bought Nexus, where's the updates?

    When I bought my Nexus, I figured that I'd be getting updates for a good while. Nope, nothing for Nexus 4. Android 5.1.1, and that's it. No more updates for you, go buy a new phone.

    Or I could put the next OS myself, and do it every time they update that image. Or maybe I should run Cyanogen.

    But what this comes down to, is that many many millions of devices are forever vulnerable. Gee, thanks, Google.

  14. Anonymous Coward
    Anonymous Coward

    The real issue is that Linux treats many vulnerabilities as bugs

    The real issue here is that the vulnerability wasn’t called out as a security fix in the Linux kernel, when it was discovered. This happens far too often (both in Linux, as well as in proprietary software and other open source projects). But for Linux - see http://yarchive.net/comp/linux/security_bugs.html - the predominant school of thought that once a security flaw is fixed (as a bug), there isn't an issue, is plainly wrong. This example is clearly showing this. The consequence is that vendors who build on top of Linux (and similar platforms) have to evaluate every bug-fix to check whether they are possibly a vulnerability they may be exposed to. That is a) wasteful and b) does not scale in projects with a high development velocity. The consequence is that issues only get discovered if a security researcher connects the dots and informs the vendor (as in this case) or when it is discovered that the issue is exploited in the wild.

  15. Skribblez
    Unhappy

    Woot! First generation Moto G just got security updates!

    First generation Moto G just got security updates! Seems it still gets support after all, just a couple months late. Latest patch brings the security patch level up to 2016-03-01!

    Go Google! Go Motorola!

    Oh, wait...

    They sure do make Apple look good...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like